Cesnet Liberouter
  • Projects
  • Liberouter
  • Scampi
  • FlowMon
  • NIC
  • NIFIC
  • IDS
  • NetCOPE
  • VHDL design
  • System software
  • Testing
  • Formal verification
  • Netopeer
  • Documents
  • Our hardware
  • Card Availability
  • Our partners
Main page -> Projects -> IDS
IDS
The aim of the IDS project is the development of a network intrusion detection (NIDS) device -- an integrated software/hardware tool capable of detecting unauthorised access to computer systems or networks and malicious network traffic such as viruses, trojan horses and worms. NIDS device combines packet classification and payload scanning.
Hardware acceleration of string matching is a subject of an intensive research. The most promising approach is based on nondeterministic finite automata (NFA). String or regular expression patterns are translated into a NFA, which is further transformed into an equivalent hardware representation. This approach will be used in this project.

NFA representation for two string (Netflow, Scampi)

By using an NFA that accepts 8 bits in one clock cycle, we are able to achieve throughput 800 Mb/s with firmware running at the 100 MHz clock frequency. The throughput can be further increased by utilising so-called Extended NFA (ENFA) that accept multiple chars in one clock cycle. In this case, throughput between 1 and 10 Gb/s can be reached. Going beyond 10 Gb/s is currently impossible due to insufficient FPGA capacity, so we must look for optimisations allowing us to deal with the entire Snort rule set at high network speeds.

ENFA representation (16 bits)

On the next picture is proposed NIDS architecture. First phase will be implemented without header clasification engine, so patterns is searched in whole packet including packet header. In the second phase HFE unit will extract headers (source and destination port and address, protocol type etc.) and mark packet body. Pattern matching unit will get Rules match vector by performing AND function of Pattern match and Header match vector. Suspicious packets are transfered to software. IDS device will look like normal NIC so Snort can perform aditional packet analysis.

Proposed architecture

Current state
  • 03/2008 - ids-1.1.2 package realease
  • 10/2007 - ids-1.1.1 package realease
  • 01/2007 - ids-1.0.0 package realease
  • 08/2006 - Snort is accelerated by IDS probe (p2p program detections results)
  • 08/2006 - Modulal dessign was succesfuly tested with IDS project
  • 07/2006 - IDS with multimatch classifier unit
  • 06/2006 - Linux driver for IDS probe was writen
  • 04/2006 - IDS probe with pattern_match unit
  • 01/2006 - first version (only string matching) of pattern matcher unit based on NFA is finished
  • 10/2005 - statistics concerning the Snort rule set
More information and links
  • IDS poster
  • Traffic Scanner WEB Interface
  • IDS package download page
    • User guide
    • Release notes for last package
    • Errata
  • Firmware architecture
    • COMBO6X Card
    • SFPRO Card
Main Page About Liberouter Team Mailing list SVN Contacts